Problems getting collabora docker container working

User Support
1

this is what my log is showing. It used to work fine.

Blockquote
collabora | wsd-00001-00001 2024-09-01 14:18:17.579462 +0000 [ coolwsd ] DBG New SocketPoll [websrv_poll] owned by 0x7f0ed7dfe840| net/Socket.cpp:244
collabora | wsd-00001-00001 2024-09-01 14:18:17.579605 +0000 [ coolwsd ] TRC Initialize StorageConnectionManager| wsd/COOLWSD.cpp:2956
collabora | wsd-00001-00001 2024-09-01 14:18:17.581314 +0000 [ coolwsd ] INF Using SSL_CERT_FILE of: /etc/ssl/certs/ca-certificates.crt| net/Ssl.cpp:154
collabora | wsd-00001-00001 2024-09-01 14:18:17.618476 +0000 [ coolwsd ] INF Initialized Client SSL.| wsd/wopi/StorageConnectionManager.cpp:235
collabora | wsd-00001-00001 2024-09-01 14:18:17.618509 +0000 [ coolwsd ] DBG New SocketPoll [prisoner_poll] owned by 0x7f0ed7dfe840| net/Socket.cpp:244
collabora | wsd-00001-00001 2024-09-01 14:18:17.618521 +0000 [ coolwsd ] DBG New SocketPoll [accept_poll] owned by 0x7f0ed7dfe840| net/Socket.cpp:244
collabora | wsd-00001-00001 2024-09-01 14:18:17.618530 +0000 [ coolwsd ] DBG New SocketPoll [admin] owned by 0x7f0ed7dfe840| net/Socket.cpp:244
collabora | wsd-00001-00001 2024-09-01 14:18:17.618584 +0000 [ coolwsd ] INF AdminModel ctor.| wsd/AdminModel.hpp:350
collabora | wsd-00001-00001 2024-09-01 14:18:17.618596 +0000 [ coolwsd ] INF Admin ctor| wsd/Admin.cpp:524
collabora | wsd-00001-00001 2024-09-01 14:18:17.618602 +0000 [ coolwsd ] TRC Total system memory: 16261420 KB| wsd/Admin.cpp:526
collabora | wsd-00001-00001 2024-09-01 14:18:17.618636 +0000 [ coolwsd ] TRC control group path for memory is | common/Util-desktop.cpp:183
collabora | wsd-00001-00001 2024-09-01 14:18:17.618649 +0000 [ coolwsd ] TRC no cgroup memory limit| wsd/Admin.cpp:536
collabora | wsd-00001-00001 2024-09-01 14:18:17.618673 +0000 [ coolwsd ] TRC control group path for memory is | common/Util-desktop.cpp:183
collabora | wsd-00001-00001 2024-09-01 14:18:17.618682 +0000 [ coolwsd ] TRC no cgroup memory soft limit| wsd/Admin.cpp:546
collabora | wsd-00001-00001 2024-09-01 14:18:17.619474 +0000 [ coolwsd ] INF Total available memory: 13009136 KB (12 GB), System memory: 16261420 KB (16 GB), cgroup limit: 0 KB, cgroup soft-limit: 0 KB, configured memproportion: 80%, actual percentage of system total: 80%, current usage: 65272 KB (0.5% of limit)| wsd/Admin.cpp:572
collabora | wsd-00001-00001 2024-09-01 14:18:17.619505 +0000 [ coolwsd ] INF hardware threads: 4| wsd/Admin.cpp:587
collabora | wsd-00001-00001 2024-09-01 14:18:17.619533 +0000 [ coolwsd ] TRC Initialize StorageBase| wsd/COOLWSD.cpp:2964
collabora | wsd-00001-00001 2024-09-01 14:18:17.621010 +0000 [ coolwsd ] TRC Comparing smaps_rollup read and rewind+read: 52428 vs 52428| wsd/COOLWSD.cpp:2975
collabora | wsd-00001-00001 2024-09-01 14:18:17.621105 +0000 [ coolwsd ] INF Coolwsd version details: 24.04.7.1 - 61cf2b4 - id bd2e88c5 - on Debian GNU/Linux 12 (bookworm)| wsd/COOLWSD.cpp:4333
collabora | wsd-00001-00001 2024-09-01 14:18:17.621224 +0000 [ coolwsd ] DBG New SocketPoll [remoteconfig_poll] owned by 0x7f0ed7dfe840| net/Socket.cpp:244
collabora | wsd-00001-00001 2024-09-01 14:18:17.621242 +0000 [ coolwsd ] INF Remote configuration is not specified in coolwsd.xml| wsd/COOLWSD.cpp:1125
collabora | wsd-00001-00001 2024-09-01 14:18:17.621660 +0000 [ coolwsd ] INF Locale is set to C.UTF-8| wsd/COOLWSD.cpp:4360
collabora | wsd-00001-00001 2024-09-01 14:18:17.621676 +0000 [ coolwsd ] DBG FileServerRoot: /usr/share/coolwsd| wsd/COOLWSD.cpp:4379
collabora | wsd-00001-00001 2024-09-01 14:18:17.621680 +0000 [ coolwsd ] DBG Initializing DelaySocket with 0ms.| wsd/COOLWSD.cpp:4381
collabora | wsd-00001-00001 2024-09-01 14:18:17.621746 +0000 [ coolwsd ] DBG Processing discovery.xml from /usr/share/coolwsd/discovery.xml| wsd/ClientRequestDispatcher.cpp:1924
collabora | wsd-00001-00001 2024-09-01 14:18:17.622702 +0000 [ coolwsd ] DBG Enabling editing of [odt] extension files| wsd/ClientRequestDispatcher.cpp:1949
collabora | wsd-00001-00001 2024-09-01 14:18:17.622721 +0000 [ coolwsd ] DBG Enabling editing of [fodt] extension files| wsd/ClientRequestDispatcher.cpp:1949
collabora | wsd-00001-00001 2024-09-01 14:18:17.622753 +0000 [ coolwsd ] DBG Enabling editing of [doc] extension files| wsd/ClientRequestDispatcher.cpp:1949
collabora | wsd-00001-00001 2024-09-01 14:18:17.622775 +0000 [ coolwsd ] DBG Enabling editing of [docx] extension files| wsd/ClientRequestDispatcher.cpp:1949
collabora | wsd-00001-00001 2024-09-01 14:18:17.622792 +0000 [ coolwsd ] DBG Enabling editing of [docm] extension files| wsd/ClientRequestDispatcher.cpp:1949
collabora | wsd-00001-00001 2024-09-01 14:18:17.622967 +0000 [ coolwsd ] DBG Enabling editing of [rtf] extension files| wsd/ClientRequestDispatcher.cpp:1949
collabora | wsd-00001-00001 2024-09-01 14:18:17.622983 +0000 [ coolwsd ] DBG Enabling editing of [txt] extension files| wsd/ClientRequestDispatcher.cpp:1949
collabora | wsd-00001-00001 2024-09-01 14:18:17.623054 +0000 [ coolwsd ] DBG Enabling editing of [odm] extension files| wsd/ClientRequestDispatcher.cpp:1949
collabora | wsd-00001-00001 2024-09-01 14:18:17.623081 +0000 [ coolwsd ] DBG Enabling editing of [oth] extension files| wsd/ClientRequestDispatcher.cpp:1949
collabora | wsd-00001-00001 2024-09-01 14:18:17.623106 +0000 [ coolwsd ] DBG Enabling editing of [ods] extension files| wsd/ClientRequestDispatcher.cpp:1949
collabora | wsd-00001-00001 2024-09-01 14:18:17.623166 +0000 [ coolwsd ] DBG Enabling editing of [fods] extension files| wsd/ClientRequestDispatcher.cpp:1949
collabora | wsd-00001-00001 2024-09-01 14:18:17.623350 +0000 [ coolwsd ] DBG Enabling editing of [xls] extension files| wsd/ClientRequestDispatcher.cpp:1949
collabora | wsd-00001-00001 2024-09-01 14:18:17.623418 +0000 [ coolwsd ] DBG Enabling editing of [xla] extension files| wsd/ClientRequestDispatcher.cpp:1949
collabora | wsd-00001-00001 2024-09-01 14:18:17.623599 +0000 [ coolwsd ] DBG Enabling editing of [xlsx] extension files| wsd/ClientRequestDispatcher.cpp:1949
collabora | wsd-00001-00001 2024-09-01 14:18:17.623667 +0000 [ coolwsd ] DBG Enabling editing of [xlsb] extension files| wsd/ClientRequestDispatcher.cpp:1949
collabora | wsd-00001-00001 2024-09-01 14:18:17.623734 +0000 [ coolwsd ] DBG Enabling editing of [xlsm] extension files| wsd/ClientRequestDispatcher.cpp:1949
collabora | wsd-00001-00001 2024-09-01 14:18:17.623802 +0000 [ coolwsd ] DBG Enabling editing of [dif] extension files| wsd/ClientRequestDispatcher.cpp:1949
collabora | wsd-00001-00001 2024-09-01 14:18:17.623880 +0000 [ coolwsd ] DBG Enabling editing of [slk] extension files| wsd/ClientRequestDispatcher.cpp:1949
collabora | wsd-00001-00001 2024-09-01 14:18:17.623896 +0000 [ coolwsd ] DBG Enabling editing of [csv] extension files| wsd/ClientRequestDispatcher.cpp:1949
collabora | wsd-00001-00001 2024-09-01 14:18:17.623911 +0000 [ coolwsd ] DBG Enabling editing of [dbf] extension files| wsd/ClientRequestDispatcher.cpp:1949
collabora | wsd-00001-00001 2024-09-01 14:18:17.623990 +0000 [ coolwsd ] DBG Enabling editing of [odp] extension files| wsd/ClientRequestDispatcher.cpp:1949
collabora | wsd-00001-00001 2024-09-01 14:18:17.624052 +0000 [ coolwsd ] DBG Enabling editing of [fodp] extension files| wsd/ClientRequestDispatcher.cpp:1949
collabora | wsd-00001-00001 2024-09-01 14:18:17.624249 +0000 [ coolwsd ] DBG Enabling editing of [ppt] extension files| wsd/ClientRequestDispatcher.cpp:1949
collabora | wsd-00001-00001 2024-09-01 14:18:17.624381 +0000 [ coolwsd ] DBG Enabling editing of [pptx] extension files| wsd/ClientRequestDispatcher.cpp:1949
collabora | wsd-00001-00001 2024-09-01 14:18:17.624451 +0000 [ coolwsd ] DBG Enabling editing of [pptm] extension files| wsd/ClientRequestDispatcher.cpp:1949
collabora | wsd-00001-00001 2024-09-01 14:18:17.624646 +0000 [ coolwsd ] DBG Enabling editing of [ppsx] extension files| wsd/ClientRequestDispatcher.cpp:1949
collabora | wsd-00001-00001 2024-09-01 14:18:17.624910 +0000 [ coolwsd ] DBG Enabling editing of [odg] extension files| wsd/ClientRequestDispatcher.cpp:1949
collabora | wsd-00001-00001 2024-09-01 14:18:17.624982 +0000 [ coolwsd ] DBG Enabling editing of [fodg] extension files| wsd/ClientRequestDispatcher.cpp:1949
collabora | wsd-00001-00001 2024-09-01 14:18:17.626518 +0000 [ coolwsd ] DBG Enabling editing of extension files| wsd/ClientRequestDispatcher.cpp:1949
collabora | wsd-00001-00001 2024-09-01 14:18:17.630378 +0000 [ coolwsd ] WRN File not found: Private key file: /etc/coolwsd/proof_key
collabora | No proof-key will be present in discovery.
collabora | If you need to use WOPI security, generate an RSA key using this command:
collabora | sudo coolconfig generate-proof-key
collabora | or if your config dir is not /etc, you can run ssh-keygen manually:
collabora | ssh-keygen -t rsa -N “” -m PEM -f “/etc/coolwsd/proof_key”
collabora | Note: the proof_key file must be readable by the coolwsd process.| wsd/ProofKey.cpp:151
collabora | wsd-00001-00001 2024-09-01 14:18:17.632227 +0000 [ coolwsd ] TRC #14: Created socket. Thread affinity set to 0x7f0ed7dfe840| net/Socket.hpp:384
collabora | wsd-00001-00001 2024-09-01 14:18:17.632249 +0000 [ coolwsd ] TRC #14: Bind to: IPv6 port: 9980| net/Socket.cpp:1051
collabora | wsd-00001-00001 2024-09-01 14:18:17.632259 +0000 [ coolwsd ] TRC #14: Listening| net/ServerSocket.hpp:77
collabora | wsd-00001-00001 2024-09-01 14:18:17.632262 +0000 [ coolwsd ] INF #14 Listening to client connections on port 9980| wsd/COOLWSD.cpp:4250
collabora | wsd-00001-00001 2024-09-01 14:18:17.632267 +0000 [ coolwsd ] TRC Creating thread for SocketPoll prisoner_poll| net/Socket.cpp:312
collabora | wsd-00001-00001 2024-09-01 14:18:17.632390 +0000 [ coolwsd ] TRC #15: Created socket. Thread affinity set to 0x7f0ed7dfe840| net/Socket.hpp:384
collabora | wsd-00001-00001 2024-09-01 14:18:17.632404 +0000 [ coolwsd ] INF #15: Binding to Unix socket for local server with base name: 0coolwsd-| net/Socket.cpp:1233
collabora | wsd-00001-00001 2024-09-01 14:18:17.632428 +0000 [ coolwsd ] TRC #15: Binding to Unix socket location [coolwsd-6z4cTPhY], result: 0| net/Socket.cpp:1260
collabora | wsd-00001-00001 2024-09-01 14:18:17.632437 +0000 [ coolwsd ] TRC #15: Listening| net/ServerSocket.hpp:77
collabora | wsd-00001-00001 2024-09-01 14:18:17.632446 +0000 [ coolwsd ] INF Listening to prisoner connections on coolwsd-6z4cTPhY| wsd/COOLWSD.cpp:4183
collabora | wsd-00001-00001 2024-09-01 14:18:17.632455 +0000 [ coolwsd ] TRC Inserting socket #15, address , into prisoner_poll| net/Socket.hpp:742
collabora | wsd-00001-00001 2024-09-01 14:18:17.632463 +0000 [ coolwsd ] TRC #15: Resetting thread affinity while in transit (was 0x7f0ed7dfe840)| net/Socket.hpp:337
collabora | wsd-00001-00001 2024-09-01 14:18:17.632479 +0000 [ coolwsd ] INF Waiting for a new child for a max of 20000ms| wsd/COOLWSD.cpp:4421
collabora | wsd-00001-00027 2024-09-01 14:18:17.632439 +0000 [ prisoner_poll ] INF Thread 27 (7f0ed6ab56c0) of process 1 formerly unnamed is now called [prisoner_poll]| common/Util.cpp:325
collabora | wsd-00001-00027 2024-09-01 14:18:17.632471 +0000 [ prisoner_poll ] INF Starting polling thread [prisoner_poll] with thread affinity set to 0x7f0ed6ab56c0.| net/Socket.cpp:375
collabora | wsd-00001-00027 2024-09-01 14:18:17.632485 +0000 [ prisoner_poll ] TRC ppoll start, timeoutMicroS: 64000000 size 0| net/Socket.cpp:430
collabora | wsd-00001-00027 2024-09-01 14:18:17.632499 +0000 [ prisoner_poll ] TRC Poll completed with 1 live polls max (64000000us)| net/Socket.cpp:448
collabora | wsd-00001-00027 2024-09-01 14:18:17.632509 +0000 [ prisoner_poll ] TRC #6: Handling events of wakeup pipe: 0x1| net/Socket.cpp:457
collabora | wsd-00001-00027 2024-09-01 14:18:17.632521 +0000 [ prisoner_poll ] TRC Wakeup pipe read 1 bytes| net/Socket.cpp:464
collabora | wsd-00001-00027 2024-09-01 14:18:17.632529 +0000 [ prisoner_poll ] TRC Inserting 1 new sockets after the existing 0| net/Socket.cpp:476
collabora | wsd-00001-00027 2024-09-01 14:18:17.632536 +0000 [ prisoner_poll ] TRC #15: Thread affinity set to 0x7f0ed6ab56c0 (was 0)| net/Socket.hpp:326
collabora | wsd-00001-00027 2024-09-01 14:18:17.632552 +0000 [ prisoner_poll ] TRC PrisonerPoll - wakes up with 0 new children and 0 brokers and 0 kits forking| wsd/COOLWSD.cpp:3488
collabora | wsd-00001-00027 2024-09-01 14:18:17.632564 +0000 [ prisoner_poll ] INF Creating new forkit process.| wsd/COOLWSD.cpp:3511
collabora | wsd-00001-00027 2024-09-01 14:18:17.632614 +0000 [ prisoner_poll ] INF Launching forkit process: /usr/bin/coolforkit-caps --systemplate=/opt/cool/systemplate --lotemplate=/opt/collaboraoffice --childroot=/opt/cool/child-roots/1-9459ebd4/ --clientport=9980 --masterport=coolwsd-6z4cTPhY --rlimits=limit_virt_mem_mb:0;limit_stack_mem_kb:8000;limit_file_size_mb:0;limit_num_open_files:0 --version --ui=default| wsd/COOLWSD.cpp:3625
collabora | wsd-00001-00027 2024-09-01 14:18:17.632921 +0000 [ prisoner_poll ] INF Forkit process launched: 28| wsd/COOLWSD.cpp:3631
collabora | wsd-00001-00027 2024-09-01 14:18:17.632934 +0000 [ prisoner_poll ] TRC Rebalance children to 3, have 0 and 1 outstanding requests| wsd/COOLWSD.cpp:554
collabora | wsd-00001-00027 2024-09-01 14:18:17.632950 +0000 [ prisoner_poll ] TRC Rebalance children to 4, have 0 and 1 outstanding requests| wsd/COOLWSD.cpp:554
collabora | wsd-00001-00027 2024-09-01 14:18:17.632959 +0000 [ prisoner_poll ] TRC PollSocket container size has changed from 0 to 1| net/Socket.cpp:521
collabora | frk-00028-00028 2024-09-01 14:18:17.636304 +0000 [ coolforkit-caps ] INF Initializing frk. Local time: Sun 2024-09-01 14:18:17 +0000. Log level is [8]| common/Log.cpp:654
collabora | frk-00028-00028 2024-09-01 14:18:17.636320 +0000 [ coolforkit-caps ] INF Setting log-level to [trace and delaying setting to configured [warning] until after Forkit initialization.| kit/ForKit.cpp:654
collabora | frk-00028-00028 2024-09-01 14:18:17.636342 +0000 [ coolforkit-caps ] INF RLIMIT_AS is unlimited after setting it to unlimited.| common/Seccomp.cpp:287
collabora | frk-00028-00028 2024-09-01 14:18:17.636357 +0000 [ coolforkit-caps ] INF RLIMIT_STACK is 8192000 bytes after setting it to 8192000 bytes.| common/Seccomp.cpp:287
collabora | frk-00028-00028 2024-09-01 14:18:17.636361 +0000 [ coolforkit-caps ] INF Ignored setting RLIMIT_FSIZE to unlimited.| common/Seccomp.cpp:293
collabora | frk-00028-00028 2024-09-01 14:18:17.636366 +0000 [ coolforkit-caps ] INF Ignored setting RLIMIT_NOFILE to unlimited.| common/Seccomp.cpp:293
collabora | frk-00028-00028 2024-09-01 14:18:17.636381 +0000 [ coolforkit-caps ] DBG About to init Kit UnitBase with test | kit/ForKit.cpp:766
collabora | frk-00028-00028 2024-09-01 14:18:17.636403 +0000 [ coolforkit-caps ] ERR Capability cap_sys_chroot is not set for the coolforkit program.| kit/ForKit.cpp:230
collabora | frk-00028-00028 2024-09-01 14:18:17.636413 +0000 [ coolforkit-caps ] ERR Capability cap_fowner is not set for the coolforkit program.| kit/ForKit.cpp:230
collabora | frk-00028-00028 2024-09-01 14:18:17.636425 +0000 [ coolforkit-caps ] ERR Capability cap_chown is not set for the coolforkit program.| kit/ForKit.cpp:230
collabora | coolforkit version details: 24.04.7.1 - 61cf2b4
collabora | Capabilities are not set for the coolforkit program.
collabora | frk-00028-00028 2024-09-01 14:18:17.636440 +0000 [ coolforkit-caps ] FTL Capabilities are not set for the coolforkit program.| kit/ForKit.cpp:780
collabora | Please make sure that the current partition was not mounted with the ‘nosuid’ option.
collabora | frk-00028-00028 2024-09-01 14:18:17.636457 +0000 [ coolforkit-caps ] FTL Please make sure that the current partition was not mounted with the ‘nosuid’ option.| kit/ForKit.cpp:781
collabora | If you are on SLES11, please set ‘file_caps=1’ as kernel boot option.
collabora | frk-00028-00028 2024-09-01 14:18:17.636471 +0000 [ coolforkit-caps ] FTL If you are on SLES11, please set ‘file_caps=1’ as kernel boot option.| kit/ForKit.cpp:782
collabora | wsd-00001-00001 2024-09-01 14:18:37.633050 +0000 [ coolwsd ] INF Waiting for a new child for a max of 20000ms| wsd/COOLWSD.cpp:4421
collabora | wsd-00001-00001 2024-09-01 14:18:57.633705 +0000 [ coolwsd ] INF Waiting for a new child for a max of 20000ms| wsd/COOLWSD.cpp:4421

I don’t know what I did wrong? Or if i missed something?

2

and then of course i read the logs myself and see the permission errors. So I used Privileged and everything is fine again…dunno why privileged wasn’t in my docker xml in Unraid anymore.

No way i can run it without privileged?

3

When compiling Collabora Online (COOL) in a Docker environment, you might come across the need to run the Docker container with the --privileged flag, especially when dealing with the creation of a “jail” environment. This flag is required due to the specific operations that are needed for the build process, which require extended privileges.

Why --privileged is Required:

  1. Namespace Manipulation:

    • Chroot/Jail Creation: During the build process, a jail environment may be created using chroot, which changes the apparent root directory for the running process. Creating and operating within a chroot jail requires elevated privileges, as it involves altering namespaces and potentially mounting filesystems within the container.
    • The --privileged flag gives the container all capabilities that are typically dropped by default in Docker, such as SYS_ADMIN, which is required for chroot operations.

  2. Mounting Filesystems:

    • The build process might involve mounting directories, filesystems, or bind mounts, which also require elevated permissions. Operations like mounting or unmounting filesystems are typically restricted to privileged users.

  3. Access to Devices:

    • Some build processes might require direct access to hardware or pseudo-filesystems (like /dev/shm, /dev/mqueue, or /proc), which are otherwise restricted. Running a container in privileged mode allows these devices to be accessed and manipulated as if the container were a full-fledged virtual machine.

  4. Extended Capabilities:

    • The --privileged flag gives the container capabilities that are not allowed by default. This includes, but is not limited to, manipulating the kernel, accessing all devices, and configuring various subsystems (e.g., cgroups).

Security Considerations:

While using the --privileged flag provides the necessary permissions for jail creation during the build, it comes with significant security risks:

  • Escalation Risks: A privileged container has nearly the same access to the host system as a root user. If the container is compromised, the attacker could gain control over the entire host system.
  • Reduced Isolation: The --privileged flag breaks the typical isolation boundaries provided by Docker, meaning that the container is no longer securely isolated from the host.

Alternatives:

If security is a concern and you want to avoid using --privileged, consider the following alternatives:

  • Fine-Grained Capabilities: Instead of using --privileged, you can use the --cap-add and --cap-drop options to add only the necessary capabilities. For example, you might only need CAP_SYS_ADMIN for mounting filesystems or creating a chroot environment.
  • Bind Mounts and Volume Sharing: Pre-mount necessary directories or filesystems using Docker’s -v or --mount options, reducing the need for runtime privilege escalation.
  • Build on the Host: Perform the compilation and jail creation on the host system outside of Docker, and then use Docker to containerize the already-built software, avoiding the need for privileged containers.

Conclusion:

The --privileged flag is required during Collabora Online’s compilation process within Docker when operations such as jail creation, filesystem manipulation, or namespace alterations are involved. However, due to the security risks, it’s important to use it only when necessary and consider alternative approaches if possible.

You can explore the detailed architecture here: Collabora Online SDK Documentation

Thanks,
Darshan

4

@keesfluitman i have also found this amazing article by Caolan which has dome overview on this :slight_smile:

5